Docker>> git-secrets-examples>> 返回
项目作者: customcommander

项目描述 :
Examples on how to use git-secrets from AWSLabs to find secrets in your Git repository
高级语言: Dockerfile
项目地址: git://github.com/customcommander/git-secrets-examples.git
创建时间: 2020-06-03T21:11:42Z
项目社区:https://github.com/customcommander/git-secrets-examples
开源协议:Creative Commons Zero v1.0 Universal
下载


git-secrets examples

Various examples on how to use git-secrets to detect secrets in your current source tree and your history.

This is the canonical source for this post of mine:

https://softwarerecs.stackexchange.com/q/74761/67727

Try This Yourself

All the How Tos below have been verified against a reproducible Dockerised environment.

Clone this repository and simply execute ./run.sh (assuming you have Docker installed on your machine).

The Docker container has git-secrets installed in addition to a few Git repositories to experiment with.

How Tos

How To Install?

Fetch the latest release, unzip it and build it with Make.
The git-secrets binary should now be in your PATH. e.g.,

  1. curl -L -o /tmp/git-secrets.zip https://github.com/awslabs/git-secrets/archive/1.3.0.zip
  2. cd /tmp
  3. unzip git-secrets.zip
  4. cd git-secrets-1.3.0
  5. make install

You’re not done yet! It now must be installed as a Git hook in each Git repository you would like to inspect. e.g.,

  1. cd /path/to/repo
  2. git-secrets --install

From now on the following How Tos will assume that git-secrets is in your PATH and that the Git hook has been installed

How To Find Secrets In A Git Repository?

We’ll be looking for the following patterns:

  • token
  • username
  • password

We want to know which files match these patterns in the current source tree and across the entire Git history.

To demonstrate the capabilities of git-secrets will add the first pattern from the CLI:

  1. # at the root of the repo
  2. git secrets --add token

The two other patterns will be loaded from a file /var/forbidden-patterns.txt:

  1. username
  2. password
  1. # at the root of the repo
  2. git secrets --add-provider -- cat /var/forbidden-patterns.txt

Now let’s add the following files to our Git repo:

First secrets-1.txt:

  1. username=abc
  2. password=123
  1. # at the root of your repo
  2. git add secrets-1.txt
  3. git commit -m "add secrets-1.txt"
  4. # please note that we're now removing the file!
  5. git rm secrets-1.txt
  6. git commit -m "remove secrets-1.txt"

Then secrets-2.txt:

  1. token=123456789
  1. # at the root of your repo
  2. git add secrets-2.txt
  3. git commit -m "add secrets-2.txt"

Now let’s scan the current source tree:

  1. # at the root of your repo
  2. git secrets --scan

Which outputs:

  1. secrets-2.txt:1:token=123456789

It hasn’t found secrets-1.txt because that file has been deleted. However we also want to make sure we’re not exposing secrets in the Git history. Let’s do that:

  1. git secrets --scan-history

Which outputs:

  1. c5e7f9887ed95f7d3aeb4ed011a8235e238b9ed1:secrets-2.txt:1:token=123456789
  2. c0082ddbb0e2b14499808b376e133a6fbb5799cc:secrets-1.txt:1:username=abc
  3. c0082ddbb0e2b14499808b376e133a6fbb5799cc:secrets-1.txt:2:password=123

We now can see in which commits a secret has been found.